rule RAN_CRing_Apr_2021_1
{
    meta:
        description = "Detect CRing ransomware"
        author = "Arkbird_SOLG"
        date = "2021-04-08"
        reference = "Internal Research"
        hash1 = "274ef2fba8ba46187f9cf462a02de286ea23ec75d163af01088f6856944817eb"
        hash2 = "f7d270ca0f2b4d21830787431f881cd004b2eb102cc3048c6b4d69cb775511c8"
        hash3 = "ebb528207b2fc06a6bc89e9d430bcdfe254f0838b0f4660f67cc6bd1ebc193be"
        level = "Experimental"
    strings:
    // code reuse
        $str1 = { 1b 30 03 00 4a 00 00 00 03 00 00 11 02 73 23 00 00 0a 0a 06 6f 24 00 00 0a 2d 3a 02 72 [1-4] 00 00 70 28 25 00 00 0a 0b 72 [1-4] 00 00 70 02 28 25 00 00 0a 28 1a 00 00 0a 06 6f 26 00 00 0a 07 7e 01 00 00 04 28 05 00 00 06 2c 06 06 6f 27 00 00 0a de 03 26 de 00 2a 00 00 01 10 00 00 00 00 1b 00 2b 46 00 03 13 00 00 01 }
        $str2 = { 1b 30 05 00 1a 01 00 00 04 00 00 11 16 0a 73 28 00 00 0a 0b 07 6f 29 00 00 0a 1e 5b 8d 2c 00 00 01 0c 07 6f 2a 00 00 0a 1e 5b 8d 2c 00 00 01 0d 73 2b 00 00 0a 13 06 11 06 08 6f 2c 00 00 0a 11 06 09 6f 2c 00 00 0a de 0c 11 06 2c 07 11 06 6f 12 00 00 0a dc 08 8e 69 09 8e 69 58 8d 2c 00 00 01 13 04 08 11 04 08 8e 69 28 2d 00 00 0a 09 16 11 04 08 8e 69 09 8e 69 28 2e 00 00 0a 11 04 04 28 06 00 00 06 13 04 11 04 8e 69 28 2f 00 00 0a 13 05 07 08 09 6f 30 00 00 0a 13 07 02 19 73 31 00 00 0a 13 08 03 18 73 31 00 00 0a 13 09 11 09 11 07 17 73 32 00 00 0a 13 0a 11 09 11 05 16 11 05 8e 69 6f 33 00 00 0a 11 09 11 04 16 11 04 8e 69 6f 33 00 00 0a 11 08 11 0a 20 [4] 6f 34 00 00 0a de 30 11 0a 2c 07 11 0a 6f 12 00 00 0a dc 11 09 2c 07 11 09 6f 12 00 00 0a dc 11 08 2c 07 11 08 6f 12 00 00 0a dc 11 07 2c 07 11 07 6f 12 00 00 0a dc 17 0a de 0a 07 2c 06 07 6f 12 00 00 0a dc 06 2a 00 00 41 94 00 00 02 00 00 00 2b 00 00 00 12 00 00 00 3d 00 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 ae 00 00 00 2c 00 00 00 da 00 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 a2 00 00 00 44 00 00 00 e6 00 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 99 00 00 00 59 00 00 00 f2 00 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 90 00 00 00 6e 00 00 00 fe 00 00 00 0c 00 00 00 00 00 00 00 02 00 00 00 08 00 00 00 06 01 00 00 0e 01 00 00 0a 00 00 00 00 00 00 00 }
        $str3 = { 1b 30 03 00 24 00 00 00 05 00 00 11 73 35 00 00 0a 0a 06 03 6f 36 00 00 0a 06 02 17 6f 37 00 00 0a 0b de 0a 06 2c 06 06 6f 12 00 00 0a dc 07 2a 01 10 00 00 02 00 06 00 12 18 00 0a 00 00 00 00 }   
    condition:
        uint16(0) == 0x5a4d and filesize > 5KB and 2 of them
}
